If Microsoft issued an ultimatum like this, they'd be blasted for 'abusing monopoly status.'

That's irrelevant. Google is using its bully pulpit regardless, and to effect unquestionably necessary and appropriate change. The world of crypto has been awash with lazy, poorly-constructed security since its inception and this is in serious need of cleaning-up before NSA-style tools start to become commonly-used by private blackhats at large.

I can't imagine Symantec is the only CA in disarray. Hey, that rhymes.

Oh, definitely not. The whole CA thing is a complete clusterf@#$ of incompetent, complacent, corporate douches issuing certs left and right to anyone, and only occasionally do they get so amazingly obviously broken like Digitnotar that there are any consequences for it at all. The whole system is broken in that it's trivial for a bad actor to get a cert that someone like Symantec swears is trustworthy, but nobody wants to go to the effort of a distributed trust system like Moxie Marlinspike champions. It's too much wooooooooork.

Symantec should maybe be completely cut off here for this and other f#@$ups, but they own probably more than 1/3 of all public certs (Thawte, Geotrust, Verisign), so they're just Too Big to Fail.

This seems wholly appropriate to me. The only thing better would be if the other browser makers piled on. It seems like the only way to get CA's to shape up is public shaming.

The ultimatum itself, I don't really have a problem with. Symantec's behavior here really is ... 'Sloppy' hardly begins to cover it. Hundreds of certificates affecting thousands of domains must surely have taken years to be issued. Even if 'employees', plural, means there were in fact multiple bad apples. There are supposed to be controls in place making it difficult or impossible to do this at scale. Why didn't they work? And then, Symantec's initial audit turned up less than a fifth of the total bad certificates? And Google says they found more in literally minutes of searching?

Un. Believable.

What I find a bit much is the fact that the ultimatum was delivered publicly. They didn't have one of their VPs privately contact the CSO at Symantec and deliver the ultimatum, they decided to publically threaten Symantec. Perhaps they already did that and weren't taken seriously (we wouldn't know, naturally) but I find that hard to believe. Google must be really pissed off.

If Microsoft issued an ultimatum like this, they'd be blasted for 'abusing monopoly status.'

Nope. I think Google's actually being too lenient here. Symantec has violated the agreement that allows their root CA certificates to be trusted by Chrome. They have similar agreements with MS and Mozilla. By the letter of these agreements, any of these browsers could legitimately stop trusting the Symantec root CA certificates. By offering a remedy, Google is doing them a favor. Not out of altruism, of course, but because enough sites have Symantec certificates that flagging all of them would seriously inconvenience their users.

No one would bat an eye at Symantec being placed in the untrusted cert store by MS... I actually think they're derelict in their duty by not doing so. Google has offered a reasonable but generous compromise.

It's quite simple. If a CA issues certificates for a domain to people who don't control that domain, that CA should no longer be trusted by browsers that are relying on it to bind keys to server names. Full stop. If anything, we should be blasting MS for not taking similar action. If Symantec had issued these for windows update servers instead of google servers, do you think we might see more movement from MS?

If Microsoft issued an ultimatum like this, they'd be blasted for 'abusing monopoly status.'

Perhaps not entirely clear from the story: Symantec gave out certificates for Google domain names, just like Diginotar certificates were given out for domains like gmail.com and used by secret services to man-in-the-middle dissidents.

Ryan Sleevi (a senior engineer in Google's Security Team and Chrome team, not a manager) is right, this is not a political or business decision, but a purely factual and technical one. If anything, he is giving them the benefit of the doubt I would not have.

Browser vendors are in a quandary. If they use the nuclear option and the ban-hammer, they also inconvenience millions of users, and in the browser wars even a small inconvenience can cause many to switch.

The elephant in the room is Comodo, which was breached by outsiders in 2011, not insiders, which is arguably worse. They are such a big player and a well-connected one that they were treated with kid gloves by all the browser vendors. What's worse, the certificate used by Apple to authenticate its software updates was signed by Comodo. At some point in the last 2 years (probably 2014-04-14) they switched from Comodo to Symantec - jumping from the frying pan into the fire...

If Microsoft issued an ultimatum like this, they'd be blasted for 'abusing monopoly status.'

Perhaps not entirely clear from the story: Symantec gave out certificates for Google domain names, just like Diginotar certificates were given out for domains like gmail.com and used by secret services to man-in-the-middle dissidents.

Google has every right to be fuming about this.

This. I said it above, but I'll say it more succinctly here. Symantec has abused the agreement they had with every browser. It is maddening that MS and Mozilla are not (so far) fuming about this and taking similar action. If the certs they gave out were for windows update or mozilla addons, you can bet they'd be more active.

Too bad they did not just kill off Symantec as a CA. Fewer CAs leads to fewer CAs to scrutinize, increased revenue for the survivors which incentivizes them to act to protect the revenue stream.

Giving these dumbasses a pass is just not necessary. Symantec can just stick to making crap virus software that needlessly annoys users all day long.

Unfortunately, Symantec has acquired (at least) verisign and thawte's CAs. Killing them all off would really crap up user experience for a lot of valid sites too.

My god, when did these disasters happen? I totally missed that. I guess we have to settle for some bitch slapping and lies about how they are totally not screwing up anymore and taking security super cereal now.

Maybe Apple and Google can give back and fund some high quality CA with their cash hoards.

Symantec is one of the most interesting tech companies out there, in my opinion.

It's amazing that they're still around at all. No matter what business they are in at the moment, they are pretty much always the worst choice. They've bounced from one business to another as their old businesses die. They buy their way into a market, and then ruin the products they buy, thus making it necessary to shift gears and buy into some other market.

But despite that, they're still around, when so many other companies have just curled up and died.

I'm willing to deal with the inconvenience. I just removed Symantec from the "Intermediate Certificate Authorities" list in Chrome. I guess I'll find out how much it hurts.

What platform? Honestly, IIRC it'll come back unless you took some additional measure. Removing an intermediate CA is generally useless, as it'll be sent back down to you the first time you visit a server it's issued and will be verified to one of the roots included with your browser.

Symantec is certified by the United States Department of Defense (DoD) as a provider of External Certification Authority (ECA) digital certificates for government contractors, state and local governments and employees of foreign governments. ECA certificates enable secure on-line transactions with DoD agencies. Installed in a browser or email program, ECA certificates can be used for such activities as authenticating identity for access to DoD websites, digitally signing documents, and encrypting e-mail communications.Symantec ECA certificates are sold as a set which includes an ECA Identity certificate and an ECA Encryption certificate. Your purchase also includes a key escrow service which enables the recovery of your data in the event that you lose the computer or hardware device that contain private keys matched with your ECA certificates.

... the certificate used by Apple to authenticate its software updates was signed by Comodo. At some point in the last 2 years (probably 2014-04-14) they switched from Comodo to Symantec - jumping from the frying pan into the fire...

That's a good (and frightening) point for everyone currently using a Mac. Any word on whether some of these evil certs were issued on the apple domain?